Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: libpostal

Found 1 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-25529
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 month, 1 week ago Activity log
  • Created suggestion 1 month, 1 week ago
Postal has HTML injection / XSS in message view

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed. Fixed in 3.3.5 and higher.

Affected products

postal
  • ==< 3.3.5

Matching in nixpkgs

pkgs.libpostal

C library for parsing/normalizing street addresses around the world. Powered by statistical NLP and open geo data

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1
  • nixos-25.11 1.1
    • nixos-25.11-small 1.1
    • nixpkgs-25.11-darwin 1.1

pkgs.libpostalWithData

C library for parsing/normalizing street addresses around the world. Powered by statistical NLP and open geo data

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1
  • nixos-25.11 1.1
    • nixos-25.11-small 1.1
    • nixpkgs-25.11-darwin 1.1

Package maintainers